Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Please could someone help with a problem i have with a trojan/virus, it won't let me run Adaware or update adaware, it re-redirects my google searches to pages like yahoo/facebook e.t.c. My Hijack this log is below if you can help. Many thanks, David

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix CheckedClick the "X" in the upper right corner of the HiJackThis window to close it.-----------------------------------------------------------Remove Programs Using Control PanelFrom Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.Highlight each Entry, as follows, one by one, if it exists, and choose Remove :CrawlerAd-Awarea-squareTake extra care in answering questions posed by any Uninstaller.-----------------------------------------------------------REBOOT (RESTART) Your Machine-----------------------------------------------------------Post a New HiJackThis LogStart HijackThis Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply. -----------------------------------------------------------Retrieve the List of Installed programs Using HJTOpen HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder. In addition, the list opens in Notepad so you can also save as another name in another location if you wish. Please paste the contents into your next reply.askey127

tiggs1603,-----------------------------------------------Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programsIt is posted here: http://malwareremoval.com/forum/viewtopic.php?f=11&t=33112As a condition of receiving our help, I have included the P2P program µTorrent in the removal instructions below, so we are not wasting our time.-----------------------------------------------------------Remove Registry items with HighjackThis. Start HijackThis. Click Do System Scan Only. When the Scan is complete, Check the following entries:(Some of these lines may be missing)O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cabO23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\system32\mqsv32.exe (file missing)Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix CheckedClick the "X" in the upper right corner of the HiJackThis window to close it.-----------------------------------------------------------Remove Programs Using Control PanelFrom Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.Highlight each Entry, as follows, one by one, if it exists, and choose Remove :Java(TM) 6 Update 7µTorrentSpybot S&DLogitech Desktop MessengerTake extra care in answering questions posed by any Uninstaller.You can re-install Spybot after we are through.------------------------------------------------Download and Run RkillPlease download Rkill from one of the following links and save to your Desktop:One, Two,Three or Four

Double click on Rkill.

A command window will open then disappear upon completion, this is normal.

Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.----------------------------------------------------------------------------------Run MalwareBytes' Anti-Malware

Start Malwarebytes' Anti-Malware.

Click on The Update tab. Choose Check for Updates.

If an update is found, it will download and install the latest version.

If necessary, start Malwarebytes Anti-Malware again.

Once the program is running, select Perform Quick Scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.

The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.

Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt

tiggs1603,OK, the virus scan part looks good.Now let's see if we can locate any redirects planted elsewhere.----------------------------------------------Run Temp File CleanerDownload Temp File Cleaner and save it to your desktop.Double click to run it.If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running. After Restart, log back in to your usual account.-----------------------------------------------Run the RSIT ScannerPlease download the scanner from here and save it to your desktop. The icon will be named RSIT.exeDoubleclick the RSIT icon.When the scan is complete, two text files will openlog.txt<- this one will be maximizedinfo.txt <- this one will be minimized( Both files will be saved here -> C:\rsit\ )Copy/Paste the contents of both log.txt and info.txt into your next post please. Use two posts if you prefer.

Computer Name: DAVIDEvent Code: 8Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Computer Name: DAVIDEvent Code: 8Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

tiggs1603,-----------------------------------------------------------Remove Programs Using Control PanelFrom Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.Highlight each Entry, as follows, one by one, if it exists, and choose Remove :Spybot Search and DestroyWindows Live OneCare safety scannerRegistry Mechanic 6.0PeerGuardian 2.0

Take extra care in answering questions posed by any Uninstaller. If the Uninstaller for Spybot asks whether you want to remove all settings, answer YES.-----------------------------------------------------------REBOOT(RESTART) Your Machine-----------------------------------------------------------Uninstall the Crawler Toolbar

Click on "Uninstall" and then click on "Yes" to allow the uninstaller to close all open Web windows so the uninstaller can remove the Crawler Toolbar components.

Click on "Yes" again to allow the computer to reboot and finish the removal of the Crawler Toolbar.

-----------------------------------------------------------REBOOT(RESTART) Your Machine One More Time-----------------------------------------------------------Post a New HiJackThis LogStart HijackThis Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply. askey127

Hi, Spybot was not found, but i searched all files & folders for spybot & found some data & backup files, so i deleted them.I have deleted peer guardian, windows livecare scanner & registry mechanic & crawler toolbar.Those win32/bagle.gen.zip worm files have not been deleted yet, should i delete them yet.

Your machine was set to funnel internet transactions through a Ukrainian server. We have fixed that, but need to check on what system changes may have been made without authorization in the meantime.-----------------------------------------------------------Remove Registry items with HighjackThis. Start HijackThis. Click Do System Scan Only. When the Scan is complete, Check the following entries:(Some of these lines may be missing)O4 - HKCU\..\Run: [] C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix CheckedClick the "X" in the upper right corner of the HiJackThis window to close it.-----------------------------------------------------------Open Notepad. Copy and paste the contents of following code box contents into the Notepad text. (Don't copy the word "Code")

Use Notepad's File, Save As and save it to your desktop as File type All Files (not as text file or it won't work), and file name FixSvc.batExit Notepad and double click on FixSvc.batA Command window will flash on and off.-----------------------------------------------------------REBOOT(RESTART) Your Machine-----------------------------------------------------------Post a New HiJackThis LogStart HijackThis Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

Do you still get the redirects, and if so, does it happen in both Internet Explorer and Firefox, or only one of them?Tell me how it goes, and the answer about IE/Firefox.askey127

HiThanks again for all your help, i have not had any re-directs for a few days now. Was only using Firefox anyway. I have checked IE & that is not re-directing. I have done as instructed & here is my latest log.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.